Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA

Photo: Carolyn Kaster/AP

After years of studied silence on the government’s secret and controversial use of security vulnerabilities, the White House has finally acknowledged that the NSA and other agencies exploit some of the software holes they uncover, rather than disclose them to vendors to be fixed.

But Obama included a major loophole in his decision, which falls far short of recommendations made by a presidential review board last December: According to Obama, any flaws that have “a clear national security or law enforcement” use can be kept secret and exploited.

This, of course, gives the government wide latitude to remain silent on critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify their exploitation.

A so-called zero-day vulnerability is one that’s unknown to the software vendor and for which no patch therefore exists. The U.S. has long wielded zero-day exploits for espionage and sabotage purposes, but has never publicly stated its policy on their use. Stuxnet, a digital weapon used by the U.S. and Israel to attack Iran’s uranium enrichment program, used five zero-day exploits to spread.

Last December, the President’s Review Group on Intelligence and Communications Technologies declared that only in rare instances should the U.S. government authorize the use of zero-day exploits for “high priority intelligence collection.” The review board, which was convened in response to reports of widespread NSA surveillance revealed in the Edward Snowden documents, also said that decisions about the use of zero-day attacks should only be made “following senior, interagency review involving all appropriate departments.”

“In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the review board wrote in its lengthy report (.pdf). “Eliminating the vulnerabilities — ‘patching’ them — strengthens the security of US Government, critical infrastructure, and other computer systems.”

When the government does decide to use a zero-day hole for national security purposes, they noted, that decision should have an expiration date.

“We recommend that, when an urgent and significant national security priority can be addressed by the use of a Zero Day, an agency of the US Government may be authorized to use temporarily a Zero Day instead of immediately fixing the underlying vulnerability,” they wrote. “Before approving use of the Zero Day rather than patching a vulnerability, there should be a senior-level, interagency approval process that employs a risk management approach.”

But Obama appeared to ignore these recommendations when the report was released. A month later, when he announced a list of reforms based on the review board’s report, the issue of zero days went unaddressed.

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” the statement said.

Intelligence authorities also revealed that in response to the presidential review board’s recommendations in December, the White House had recently reviewed and “reinvigorated an interagency process for deciding when to share” information about zero day vulnerabilities with vendors and others so that the security holes could be patched.

“When Federal agencies discover a new vulnerability in commercial and open source software … it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose,” the statement said.

The government process for deciding on whether or not to use a zero-day exploit is called the Vulnerabilities Equities Process, and the statement said that unless there is “a clear national security or law enforcement need,” the equities process is now “biased toward responsibly disclosing such vulnerabilities.”

This implies, of course, that the bias was aimed in favor of something else until now.

“If this is a change in policy, it kind of explicitly confirms that beforehand that was not the policy,” says Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council and a former officer in the Air Force’s cyber division.

The government’s use of zero-day exploits has exploded over the last decade, feeding a lucrative market for defense contractors and others who uncover critical flaws in the software used in cell phones, computers, routers, and industrial control systems and sell information about these vulnerabilities to the government.

But the government’s use of zero days for exploitation purposes has long contradicted Obama’s stated policy claims that the security of the internet is a high priority for his administration.

The NSA’s offense-oriented operations in the digital realm would also seem to directly oppose the agency’s own mission in the defensive realm. While the NSA’s Tailored Access Operations division is busy using zero days to hack into systems, the spy agency’s Information Assurance Directorate is supposed to secure military and national security systems, which are vulnerable to the same kinds of attacks the NSA conducts against foreign systems. The NSA is also supposed to assist the DHS in helping to secure critical infrastructures in the private sector, a duty that is compromised if the NSA is keeping silent about vulnerabilities in industrial control systems and other critical systems in order to exploit them.

The government has used its equities process to analyze its use of zero-day exploits for the better part of a decade. That process is patterned after the approach used by the military and intelligence community in times of war to decide when information gleaned through intelligence should be exploited for military gain or kept secret to preserve intelligence capabilities.

The equities process for zero days has until now largely been focused on critical infrastructure systems — for example, the industrial control systems that manage power plants, water systems, electric grids — with the aim of giving government agencies the opportunity to state when disclosing a vulnerability to the vendor might interfere with their own ability to exploit the vulnerability. When vulnerabilities have been found in more general computing systems that could have an impact on U.S. military and other critical government systems, sources say the government has engaged in a form of limited disclosure — working on ways to mitigate the risk to critical government systems while still keeping the vulnerability secret so that it can be exploited in enemy systems.

But the first hint that the government’s policy in this area was beginning to lean more toward disclosure than exploitation appeared in March during the confirmation hearing for Vice Admiral Michael Rogers to replace Gen. Keith Alexander as head of the NSA and the U.S. Cyber Command. In testimony to the Senate Armed Services Committee (.pdf), Rogers was asked about the government’s policies and processes for handling the discovery and disclosure of zero days.

Rogers said that within the NSA “there is a mature and efficient equities resolution process for handling ‘0-day’ vulnerabilities discovered in any commercial product or system (not just software) utilized by the U.S. and its allies.”

The policy and process, he said, ensures that “all vulnerabilities discovered by NSA in the conduct of its lawful missions are documented, subject to full analysis, and acted upon promptly.” He noted that the NSA is “now working with the White House to put into place an interagency process for adjudication of 0-day vulnerabilities.”

He also said that “the balance must be tipped toward mitigating any serious risks posed to the U.S. and allied networks” and that he intended to “sustain the emphasis on risk mitigation and defense” over offensive use of zero days.

Rogers noted that when the NSA discovers a vulnerability, “Technical experts document the vulnerability in full classified detail, options to mitigate the vulnerability, and a proposal for how to disclose it.” The default is to disclose vulnerabilities in products and systems used by the U.S. and its allies, said Rogers, who was confirmed by the Senate and took command of the NSA and US Cyber Command in March.

“When NSA decides to withhold a vulnerability for purposes of foreign intelligence, then the process of mitigating risks to US and allied systems is more complex. NSA will attempt to find other ways to mitigate the risks to national security systems and other US systems, working with stakeholders like CYBERCOM, DISA, DHS, and others, or by issuing guidance which mitigates the risk.”

Healey notes that the public statements on the new policy leave a lot of questions unanswered and raise the possibility that the government has additional loopholes that go beyond the national security exception.

The statement by the Office of the Director of National Intelligence about the new bias toward disclosure, for example, specifically refers to vulnerabilities discovered by federal agencies, but doesn’t mention vulnerabilities discovered and sold to the government by contractors, zero-day brokers or individual researchers, some of whom may insist in their sale agreements that the vulnerability not be disclosed.

If purchased zero days vulnerabilities don’t have to be disclosed, this potentially leaves a loophole for the secret use of these vulnerabilities and also raises the possibility that the government may decide to get out of the business of finding zero days, preferring to purchase them instead.

“It would be a natural bureaucratic response for the NSA to say ‘why should we spend our money discovering vulnerabilities anymore if we’re going to have to disclose them?'” Healey says. “You can imagine a natural reaction would be for them to stop spending money on finding vulnerabilities and use that money to buy them off the grey-market where they don’t have to worry about that bias.”

The government’s new statement about zero days also doesn’t address whether it applies only to vulnerabilities discovered in the future or to the arsenal of zero-day vulnerabilities the government already possesses.

“Do you grandfather in all of the existing vulnerabilities that are in the Tailored Access Operations catalog or are they going to go through with the new bias and review every vulnerability they have in their catalog?,” Healey asks. “The military will do everything they can to not do that.”

If the government does apply the new rules to its back-catalog of exploits, suddenly disclosing to vendors a backlist of zero-day vulnerabilities it has been sitting on and exploiting for years, it may well be detectable, Healey notes. The tell-tale sign to look for: a slew of new patches and vulnerability announcements from companies like Microsoft and Adobe.